Vulnerabilities Scoring Approach for Cloud SaaS

It is known to be full of challenges to score vulnerabilities of cloud services developed by different third-party providers. Although there have been a few systems for scoring vulnerabilities (e.g., CVSS) of many existing softwares, most of them are unable to be leveraged to score vulnerabilities in cloud services, because they fail to consider some important factors located in the clouds such as business context (i.e., Dependency relationships between services). This paper presents VScorer, a novel security framework to score vulnerabilities in various cloud services based on different given requirements. By inputting concrete business context and security requirement into VScorer, cloud provider can get a ranking list of vulnerabilities in the business based on the given security requirement. Following the ranking list, cloud provider is able to patch the most critical vulnerabilities first. We developed a prototype and demonstrate VScorer can work better than current representative vulnerability scoring system CVSS.